Mqtt > ca_cert error

techatreyo · May 13, 2024, 6:53pm

Continuing the discussion from Mqtt integration error:

Have you solved this issue ??

Liam_Philipp · May 13, 2024, 7:13pm

What is your scenario? You have a chirpstack docker install and are trying to add TLS to your MQTT broker? Is your install on an RPI like the OP? What have you done so far? Are there errors in the logs?

You are aware that the MQTT Integration button in the UI is only for signing certificates if you already have TLS set up on your MQTT broker, yes?

techatreyo · May 14, 2024, 10:16am

Hello,
Thanks for the response …

1) Scenario – We have developed openWRT based OS with base of chirpstack gateway OS, So far we have through with 90% things of our need till date.

… What I need for MQTT is …

The MQTT integration forwards events to a MQTT broker >> This line mentioned in integration of MQTT in Application … How to proceed , I mean “Get Certificate” , sign certificate ??

I am getting this ERRORS !
Read mqtt ca_cert: No such file or directory (os error 2)* > While GET CERTIFICATE
Error
Read mqtt ca_cert: No such file or directory (os error 2) > While Generate certificate

TelDragon · May 15, 2024, 11:01am

Mosquitto TLS configuration - ChirpStack open-source LoRaWAN® Network Server documentation

He solved my problem with reference.
And the file must be 0644

Liam_Philipp · May 15, 2024, 3:26pm

This is a pretty typical confusion on the forum so let me clarify. The “get certificate” button under integrations in the UI is not the MQTT integration that forwards events to another broker.

The “get certificate” button signs a certificate that allows MQTT clients to connect to your MQTT Broker if you have TLS set up on your MQTT broker. All the button does is sign a certificate using the CA the MQTT broker uses, such that gateway bridges and such can connect to the broker.

What I believe you want is to enable the MQTT integration which forwards MQTT events to an external broker. This is actually enabled by default in Chirpstack but it forwards the events to the MQTT broker Chirpstack uses to make debugging easier. To forward these integration events to an external broker you only need to change a single line in your chirpstack.toml. Towards the bottom of your chirpstack.toml there should be the following lines:


[integration]
  enabled=["mqtt"]
  [integration.mqtt]
    server="tcp://$MQTT_BROKER_HOST:1883/"
    json=true

If not you can add them, simply set the $MQTT_BROKER_HOST to the IP of your external broker and Chirpstack will then forward all “integration events” (starting with “application/” as opposed to “region_prefix/”) to the external broker.

TelDragon · May 16, 2024, 3:29am

Can it specify a topic?
Publish 、subscribe
Another question is
After configuring CA certificates for chipstack and mosquito
My gateway lora_pkt_fwd is no longer online.
After removing the CA certificate, it will be restored

chirpstack.toml

[integration]
  enabled=["mqtt"]

  [integration.mqtt]
    server="tcp://$MQTT_BROKER_HOST:1883/"
    json=true

[gateway]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"

[integration.mqtt.client]
client_cert_lifetime="12months"
ca_cert="/etc/chirpstack/certs/ca.pem"
ca_key="/etc/chirpstack/certs/ca-key.pem"

mosquitto.conf

listener 1883
allow_anonymous true
listener 8883 0.0.0.0
cafile /mosquitto/config/certs/ca.pem
certfile /mosquitto/config/certs/mqtt-server.pem
keyfile /mosquitto/config/certs/mqtt-server-key.pem
require_certificate true
use_identity_as_username true
acl_file /mosquitto/config/acl

Liam_Philipp · May 16, 2024, 6:29am

You cannot specify the MQTT topics that get forwarded in Chirpstack, if you needed to accomplish this you would have to use another third party application to translate the event topics before forwarding them to the other broker.

When you configure certificates for Mosquitto (MQTT Broker) your gateway can no longer connect to the MQTT broker because the Broker now only allows secure connections, as is the entire purpose of setting up TLS. So assuming you have the gateway bridge installed on your gateway you need to configure the chirpstack-gateway-bridge.toml (or mqtt forwarder if you are using that instead) with the certificates as well. The certificate for the gateway-bridge can be retrieved through the web interface using the MQTT integration “get certificate” button.

TelDragon · May 16, 2024, 8:10am

good You explained very clearly.
I did not add any options or files related to CA certificates in chirpstack gateway bridge. toml.
Additionally. If I want to forward MQTT messages without TLS. It is a direct modification
Chirpstack.toml

[integration]
  enabled=["mqtt"]

  [integration.mqtt]
    server="tcp://$MQTT_BROKER_HOST:1883/"
    json=true

Still need binary files Downloads - ChirpStack open-source LoRaWAN® Network Server documentation

Liam_Philipp · May 16, 2024, 2:40pm

Is that a question? If so, you do not need to download any other packages to have Chirpstack forward MQTT events to another broker, all that is required is to change the server= line in the [integration.mqtt] section of your chirpstack.toml. The MQTT forwarder package you linked is not for this purpose, the “chirpstack mqtt forwarder” is just a lightweight replacement for the gateway bridge and it forwards MQTT from the gateway to the server, not from the server to an external broker.

TelDragon · May 17, 2024, 12:51am

Thank you. I now understand the relationship between these three. And the working principle.